Internet Presents Web of Security Issues
[Note to Editors: For a downloadable copy of this story
with color graphics and sidebars, point your browser to
www.defenselink.mil or http://websecurity.afis.osd.mil.]
By Paul Stone
American Forces Press Service
WASHINGTON -- In a briefing room deep in the Pentagon
earlier this year, Air Force Lt. Col. Buzz Walsh and Maj.
Brad Ashley presented a series of briefings to top DoD
leaders that raised more than just a few eyebrows.
Selected leaders were shown how it was possible to obtain
their individual social security numbers, unlisted home
phone numbers, and a host of other personal information
about themselves and their families – simply by cruising
the Internet.
Walsh and Ashley, members of the Pentagon's Joint Staff,
were not playing a joke on the leaders. Nor were they
trying to be clever. Rather they were dramatically, and
effectively demonstrating the ease of accessing and
gathering personal and military data on the information
highway – information which, in the wrong hands, could
translate into a vulnerability.
"You don't need a Ph.D. to do this," Walsh said about the
ability to gather the information. "There's no rocket
science in this capability. What's amazing is the ease and
speed and the minimal know-how needed. The tools (of the
Net) are designed for you to do this."
The concern over personal information on key DoD leaders
began with a simple inquiry from one particular flag
officer who said he was receiving a large number of
unsolicited calls at home. In addition to having the
general's unlisted number, the callers knew specifically
who he was.
Beginning with that one inquiry, the Joint Staff set out to
discover just how easy it is to collect data not only on
military personnel, but the military in general. They used
personal computers at home, used no privileged information
– not even a DoD phone book – and did not use any on-line
services that perform investigative searches for a fee.
In less than five minutes on the Net Ashley, starting with
only the general's name, was able to extract his complete
address, unlisted phone number, and using a map search
engine, build a map and driving directions to his house.
Using the same techniques and Internet search engines, they
visited various military and military-related Web sites to
see how much and the types of data they could gather. What
they discovered was too much about too much, and seemingly
too little concern about the free flow of information vs.
what the public needs to know.
For example, one Web site for a European-based installation
provided more than enough information for a potential
adversary to learn about its mission and to possibly craft
an attack. Indeed, the Web site contained an aerial
photograph of the buildings in which the communication
capabilities and equipment were housed. By pointing and
clicking on any of the buildings, a Web surfer would learn
the name of the communications system housed in the
building and its purpose.
Taking their quest for easily accessible information one
step further, the Joint Staff decided to see how much
information could be collected just by typing a military
system acronym into an Internet search engine. While not
everyone would be familiar with defense-related acronyms,
many of them are now batted around the airwaves on talk
shows and on the Internet in military-related chat rooms.
They soon discovered how easy it was to obtain information
on almost any topic, with one Web site hyper-linking them
to another on the same topic.
What the Joint Staff was doing when they collected their
information is commonly called "data mining" -- surfing the
Net to collect bits of information on individuals, specific
topics or organizations, and then trying to piece together
a complete picture. Individuals do it, organizations do it
and some companies do it for profit.
While the information they discovered presented legitimate
concerns, it wasn't all negative. The Army's Ft. Belvoir,
Va., home page was cited as one example of a Web site which
served the needs of both the military and the public. It
had the sort of information families or interested members
of the public need and should get.
So what does all this mean? Is DoD creating individual and
institutional security problems? In the rush to make
information available to the internal audience, is too much
being made available to the public and those who might want
to inflict harm?
The Joint Staff doesn't pretend to have all the answers to
these questions, but is encouraging users to think about
these issues whenever they put information on the Internet;
and they believe that, in some cases, DoD is it's own worst
enemy.
Michael J. White, DoD's assistant director for security
countermeasures, agrees with the Joint Staff analysis.
Moreover, as a security expert, he is concerned DoD does
indeed exceed what needs to be on the Internet.
"For fear of not telling our story well enough, we have
told too much," he said. "Personally, I think there's too
much out there … and you need to stop and ask the question:
Does this next paragraph really need to be there, or can I
extract enough or abstract enough so that the intent is
there without the specificity? And that is hard to do
because we are pressed every day. So sometimes expediency
gets ahead of pausing for a minute and thinking through the
process: Does the data really need to be there? Is it going
to hurt me tomorrow morning?
DoD's policy on releasing information to the public, as
spelled out by Defense Secretary William Cohen in April
1997, requires DoD "to make available timely and accurate
information so that the public, Congress and the news media
may assess and understand the facts about national security
and defense strategy." The same statement requires that
"information be withheld only when disclosure would
adversely affect national security or threaten the men and
women of the Armed Forces."
"On the one hand," Ashley said, "we have fast, cheap and
easy global communication and coordination. On the other
hand, we find ourselves protecting official information and
essential elements of information against point-and-click
aggregation. Clearly, this balancing act is a function of
risk management. Full openness and full protection are
equally bad answers. We have a serious education, training
and awareness issue that needs to be addressed."
The Joint Staff repeatedly returns to the issue of "point-
and-click aggregation" as a problem that is often
overlooked when military personnel and organizations place
data on the Internet. What they're referring to is the
ability to collect bits of information from several
different Web sites to compile a more complete picture of
an individual, issue or organization with very little
effort.
"The biggest mistake people make is they don't understand
how easy it is to aggregate information," Walsh said.
The lesson from this is that even though what is posted on
the Net is perfectly innocent in and by itself, when
combined with other existing information, a larger and more
complete picture might be put together that was neither
intended nor desired.
A more obvious problem, yet still one not always considered
when posting information on the Internet, is that the "www"
in Web site addresses stands for "world wide" Web.
Information posted may be intended only for an internal
audience – perhaps even a very small and very specific
group of people. But on the Net, it's available to the
world.
This, security experts agree, is an enormous change from
the time when foreign intelligence gathering was extremely
labor intensive and could only be done effectively on U.S.
soil.
"If I'm a bad guy, I can sit back in the security of my
homeland and spend years looking for a vulnerability before
I decide to take a risk and commit resources," Ashley said.
"I'm at absolutely no risk by doing that. I can pick out
the most lucrative targets before hand, and may even just
bookmark those targets for future use. We won't know
something has been compromised until it's too late."
White agrees with the Joint Staff's concern.
"You can sit in Germany and have access to the United
States just as easily as you can in Australia or the
People's Republic of China or Chile," White said. "It
doesn't matter where you are. You can go back and forth and
in between and lose your identity on the net
instantaneously. Those who seek to use the system feel
comfortable they won't be discovered."
In addition to these issues, security experts see another
recurring and disturbing problem. In the rush to take
advantage of the Net's timeliness and distribution
capabilities, military personnel are forgetting about or
ignoring the For Official Use Only policies which
previously made the information more difficult to obtain.
Yet anyone using the Internet doesn't have to venture far
into the array of military Web sites to come across one
which states: "For Official Use Only."
If the information is For Official Use Only, security
experts said Web site developers, managers and commanders
must ask themselves whether the information should be there
in the first place.
While officials are most concerned about the information
being placed on military Web sites, they had similar
warnings about individual or family Web sites. The Joint
Staff recommends the same precautions should apply at home,
especially as personnel move into high-ranking, key
leadership positions.
At a time when the flow of information is beyond anyone's
capability to either digest it or control its direction,
it's not likely the problems brought forward recently by
the Joint Staff will be solved any time soon. The first
step, security experts said, is awareness the problems
exist. Commanders have to understand not just the
information capabilities of the World Wide Web, but the
information vulnerabilities as well.
The second step, Walsh pointed out, is for commanders to
become actively involved in the issue of what's being put
on the Internet. Current DoD policies require that local
commander, public affairs and security reviews prior to
release of data on Web pages. But the flow of information
is so great, these reviews may not be occurring and few are
looking at the aggregation problem.
"I think it would be very appropriate for a public affairs
officer to be the commander's lead representative," Walsh
said. "But it's a commander's issue and it should go down
command lines. This is certainly an operational security
issue. Just like operational security is everybody's
business, this ultimately is everyone's responsibility."
White concurred and recommends installations create
"security-integrated product teams" which would be tasked
to develop and implement guidelines for creating and
monitoring Web sites on the installation.
"I think having a group come together before the (Web site
development) process begins will remove an awful lot of
pain in the long run," White said. "We need to step back
one step and think before we begin any effort, because once
it's done you can't undo it. That makes it very hard in a
digital environment."
Although it's not possible to retrieve what's already on
the World Wide Web, nor predict how it will influence
future security issues, Walsh, Ashley and White believe
it's not too late to make a difference. With a little more
forethought and a lot more planning, it will be possible to
better protect the next generation of warfighters, both on
and off the battlefield, they said.